Lessons Learned

If you track issues related to the computer security industry you may be aghast at recent events, you may be popping open a third long-neck bottle of schadenfreude, but there is something everyone - pro, student, observer and potential consumer of security services alike - needs to remember... Security isn’t a monolith. That a given firm labels itself a computer security company does not mean they do everything well (ourselves included). There are in fact very few people who can speak to security writ large with breadth and depth. If you take the time to understand what a given company really does, what its principals do for a living, and where and how they market themselves, you will find out that they are probably really good at a few aspects of security and can address many others but they’re not “security” experts.

Sure, there are large security companies with significant resources and staff you can call on if you want a one-stop shop, but you don’t buy Gucci at Costco. Experts at OS internals are not a dime a dozen, and that expertise does not translate into being able to harden public-facing servers.

To be sure, when you don’t do things by the book you run a higher risk that most (everyone is faced with a moment of weakness when a ostensibly trusted colleague asks for a favor), but tricking someone into leaving a door open is not an invitation to enter. The old meat-space/cyber-space analog of jiggling door knobs comes to mind. The only real difference is that you’re less likely to face consequences if you act in cyber-space.

Keeping yourself and others secure online is easy: just don’t make any mistakes. Attacking is even easier: wait for and capitalize on the inevitable mistakes.

The real lesson recent events teaches us has nothing to do with politics or worldviews or skill-sets; its that getting owned isn’t something that happens to someone else: everyone is one misstep away from a disaster.